Owing to inherent limitations of audit, there is an unavoidable risk that some material misstatements will not be detected, even though the audit is properly planned and performed.
Auditing financial statements in these modern times is a fairly complex process given the role information technology plays in financial and non-financial aspects of a business. Principles of fair value, estimations in rapidly changing business scenarios, complex accounting literature and rules, meeting expectations of analysts by companies and managements and a number of other business risks are the variables that need to be dealt with.
Though society expects an audit to be a certification process of the profit and the balance sheet, inherent limitations in the audit process gives a reasonable assurance and no absolute comfort, and every time a scandal breaks out, everyone stands up to say, What was the auditor doing?
The auditors opinion on financial statements provides users with a high, but not absolute, level of assurance. Financial statements contain approximations, not exact amounts with respect to many items, especially depreciation, provision for bad and doubtful assets, impairments, estimates, evaluation of uncertainties, etc.
Absolute assurance in auditing is not a realistic goal because of such limiting factors as the prevalence of assessments, uncertainties and estimates which are integral to a financial statement. This is a risk all users of financial statements face.
The concept of reasonable assurance, therefore, does not ensure or guarantee the complete accuracy of the financial statements.
There is usually a gap in the understanding of an auditors role vis--vis preparation of financial statements. The Institute of Chartered Accountants of Indias (ICAIs) Auditing and Assurance Standard (AAS) 28 defines that the responsibility of the financial statements is that of the management and goes on to state that financial statements are the representations of management.
The preparation of such statements requires the management to make significant accounting estimates and judgments, as well as to determine the appropriate accounting principles and methods used in preparation of the financial statements. In contrast, the auditors responsibility is to audit these financial statements in order to express an opinion thereon.
If the expectation of society is to obtain a certificate of accuracy from an auditor on the financial statements, then the rules of auditing need to be rewritten, and this will have a significant bearing on time required to prepare such accounts and costs relating to issue of financial statements.
The primary responsibility for the prevention and detection of fraud and error rests with both those charged with the governance and the management of an entity. This includes ensuring the integrity of the entitys accounting and financial reporting systems and that appropriate controls are in place, including those for monitoring risk, financial control and compliance with the laws and regulations.
Such systems reduce but still do not eliminate the risk of misstatements, whether caused by fraud or error. Accordingly, the management assumes responsibility for any residual risk.
Owing to the inherent limitations of audit, there is an unavoidable risk that some material misstatements in the financial statements will not be detected, even though the audit is properly planned and performed in accordance with the auditing standards generally accepted in India.
However, the risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting a material misstatement resulting from error, because fraud generally involves sophisticated and carefully organised schemes designed to conceal it, such as forgery, deliberate failure to record transactions, or intentional misrepresentations being made to the auditor. Such attempts at concealment may be even more difficult to detect when accompanied by collusion among those responsible for maintaining systems. Collusion may cause the auditor to believe that evidence is persuasive when it is, in fact, false.
The auditors ability to detect a fraud depends on factors such as the skilfulness of the perpetrator, the frequency and extent of manipulation, the degree of collusion involved, the relative size of individual amounts manipulated, and the seniority of those involved.
Audit procedures that are effective in detecting an error may be ineffective in detecting fraud. The risks of fraud are inherent to any commercial enterprise. KPMG, in its India Fraud Survey Report 2008, states that only 4 per cent of the frauds are detected by the statutory auditors while about 60 per cent is detected by internal processes and audits and 36 per cent is through accidents or tip-offs.
In the event of a management fraud of massive scale, it is quite common to jump to the conclusion of the auditor conniving with the perpetrators or being grossly negligent.
A well concealed management fraud is usually carried out by persons whose reputation is seemingly beyond reproach is difficult to unearth.
Expectations from auditor
Auditors have a unique responsibility and the consequent liability towards all stakeholders who may rely on an audit report. This includes shareholders, investors, creditors, government, employees, tax authorities, environmental groups and, in cases like Satyam, to the society at large and which, at times, can extend across borders.
A key element of an auditors responsibility is to show professional scepticism in dealing with the appropriate evidence he tests to support his conclusions. The principles of professional scepticism can be best described as trust, but verify.
There is a need to go beyond the obvious explanations that a reasonable person is expected to do in his line of duty.
However, an audit is not an investigation and the framework of audit is built on trust. If the role and responsibility of the auditor is not defined and in some ways limited, it casts an unusually high expectation from the auditor to uncover all fraud and material misstatements, which amounts to a forensic investigation rather than a statutory audit.
This is counterproductive and would raise the cost of compliance and the time involved to unusually high proportions.
If the need is to have a forensic audit embodied in a statutory audit that would double guess all management actions, including controls with a view to uncovering a potential fraud, then the auditing rules need to be redrawn. Today, in India, as in the rest of the world, an audit opinion is built on the premise of reasonable assurance to the intended users.
Indian Auditing Standards are issued by the ICAI and are drawn from the International Standards of Auditing, which are the global standards of auditing. There are further standards on quality controls and oversight.
The oversight mechanism includes peer review of a firm by another firm of chartered accountants approved by the Institute, and the Quality Review Board is entrusted to review quality of services, which include audit services, provided by a chartered accountant. All members of the ICAI are subject to disciplinary jurisdiction of the Institute. The Financial Reporting Review Board of the ICAI reviews a sample of financial reports for improvements.
The Securities and Exchange Board of India (SEBI), the Ministry of Company Affairs (MCA), the Reserve Bank of India (RBI), the Comptroller & Auditor General of India (CAG), the income-tax authorities, and so on, have an influence on the overall audit process conducted by an auditor.
The board and the independent directors of the company have, under Clause 49, a responsibility to review and question the auditors and the audit committee and the independent directors review the quality of auditors work every year before they are put up for reappointment. These gatekeepers make the process fairly robust, but it is in the details where the cracks appear.
What we need is not more regulations but a more streamlined and efficient system of regulatory and supervisory mechanism that performs effective oversight.
Audit is a deterrent but not a guarantee that no financial misstatements are embodied in a financial statement. It is very much like having law enforcement agents, but this does not guarantee that no crime will take place.